add the script to download certs and apply azure policy operation on …

…an AKS

Signed-off-by: Shahram Kalantari <[email protected]>

ratify-on-azure.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+echo "Starting Ratify on Azure\n"
+echo "RESOURCE_GROUP: $RESOURCE_GROUP\n"
+echo "CLUSTER_NAME: $CLUSTER_NAME\n"
+echo "ENABLE_MUTATION: $ENABLE_MUTATION\n"
+echo "ENABLE_CERT_ROTATION: $ENABLE_CERT_ROTATION\n"
+echo "enable managed identity ... \n"
+az aks update --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --enable-managed-identity
+# Get AKS credentials
+echo "show identity info\n"
+az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "identity" -o tsv
+echo "show account info\n"
+az account show --query "{name:name, user:user}" -o json
+principalId=$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "identity.principalId" -o tsv)
+echo "principalId: $principalId"
+echo "role assignment ...\n"
+az role assignment list --assignee $principalId --output table
+az role assignment create --assignee $principalId --role "Azure Kubernetes Service Cluster User" --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.ContainerService/managedClusters/$CLUSTER_NAME
+
+clientId=$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "identity.clientID" -o tsv)
+echo "clientId: $clientId\n"
+az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --overwrite-existing --identity $clientId
+
+
+# install helm
+curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+
+# Install Ratify using Helm
+helm repo add ratify https://deislabs.github.io/ratify
+helm repo update --namespace gatekeeper-system --create-namespace --set authProvider.azureWorkloadIdentity.clientID=$RATIFY_CLIENT_ID --set provider.enableMutation=$ENABLE_MUTATION --set featureFlags.RATIFY_CERT_ROTATION=$ENABLE_CERT_ROTATION
+